Legal

Security

How we protect your data and maintain platform integrity.

Last updated: March 1, 2026

1. Security Overview

At FanX, security is foundational to everything we build. We handle sensitive fan data, campaign configurations, and business-critical analytics for organizations worldwide. Our security program is designed to protect the confidentiality, integrity, and availability of all data entrusted to us.

2. Infrastructure Security

2.1 Hosting & Network

  • Hosted on enterprise-grade cloud infrastructure with SOC 2 Type II certification.
  • All data transmitted over TLS 1.3 encryption.
  • Network segmentation and firewall rules to isolate services.
  • DDoS protection and rate limiting at the edge.
  • Regular infrastructure vulnerability scanning.

2.2 Data Encryption

  • In Transit: All API and web traffic encrypted with TLS 1.3.
  • At Rest: AES-256 encryption for all stored data, including database volumes and backups.
  • Secrets Management: API keys, tokens, and credentials stored using industry-standard vault solutions with automatic rotation.

3. Application Security

3.1 Authentication & Access Control

  • JWT-based Authentication: Short-lived access tokens with secure refresh token rotation.
  • API Key Authentication: Hashed API keys with scoped permissions for programmatic access.
  • Role-Based Access Control (RBAC): Four roles (Admin, Campaign Manager, Analyst, Viewer) with principle of least privilege.
  • Password Security: BCrypt hashing with salting; minimum complexity requirements enforced.
  • Session Management: Automatic session expiry and secure cookie handling.

3.2 Multi-Tenant Isolation

FanX is built as a multi-tenant platform with strict data isolation:

  • Every database query is scoped to the authenticated organization.
  • Organization context is injected server-side, not passed from the client.
  • Cross-tenant data access is architecturally impossible through normal API paths.
  • Super-admin access requires explicit organization context headers and is fully audited.

3.3 Input Validation & Protection

  • Server-side input validation on all API endpoints using schema validation.
  • Parameterized queries to prevent SQL injection.
  • Content Security Policy headers to prevent XSS attacks.
  • CORS configuration restricting allowed origins.
  • Request size limits and rate limiting per API key.

4. Data Protection

4.1 Backup & Recovery

  • Automated daily database backups with point-in-time recovery.
  • Backups encrypted and stored in a geographically separate region.
  • Regular backup restoration testing to verify integrity.
  • Recovery Point Objective (RPO): 1 hour.
  • Recovery Time Objective (RTO): 4 hours.

4.2 Audit Logging

Every significant action on the platform is logged with a full audit trail:

  • User identity, IP address, and timestamp for every action.
  • Before-and-after snapshots of data changes.
  • Campaign lifecycle events (publish, pause, complete).
  • Fan data access and modification events.
  • Integration connection and sync activities.
  • Audit logs are immutable and retained for a minimum of 12 months.

5. Operational Security

5.1 Development Practices

  • Secure Software Development Lifecycle (SSDLC) followed for all code changes.
  • Code reviews required before merging to production branches.
  • Automated security scanning in CI/CD pipelines.
  • Dependency vulnerability monitoring with automated alerts.
  • Secrets scanning to prevent accidental credential exposure.

5.2 Employee Access

  • Background checks for all team members with access to production systems.
  • Least-privilege access with regular access reviews.
  • Multi-factor authentication required for all internal systems.
  • Access revoked immediately upon role change or departure.

6. Incident Response

We maintain a documented incident response plan that includes:

  1. Detection: Automated monitoring, alerting, and anomaly detection across all systems.
  2. Containment: Immediate isolation of affected systems and revocation of compromised credentials.
  3. Investigation: Root cause analysis with forensic evidence preservation.
  4. Notification: Affected customers notified within 48 hours, with ongoing updates.
  5. Remediation: System hardening and process improvements to prevent recurrence.
  6. Review: Post-incident review with lessons learned documentation.

7. Compliance

  • GDPR: Full compliance with the General Data Protection Regulation. See our GDPR page.
  • CCPA: Compliance with the California Consumer Privacy Act for US-based users and fans.
  • SOC 2: Type II audit in progress, covering security, availability, and confidentiality.
  • Data Residency: Options available for customers requiring data to remain in specific geographic regions.

8. Responsible Disclosure

We welcome responsible disclosure of security vulnerabilities. If you discover a potential security issue, please report it to:

  • Email: contact@fanx.tech
  • Include a detailed description of the vulnerability and steps to reproduce it.
  • We will acknowledge receipt within 24 hours and provide an initial assessment within 72 hours.
  • We will not take legal action against researchers who follow responsible disclosure practices.

9. Contact

For security-related questions or concerns, contact our security team at:
Email: contact@fanx.tech
Address: FanX, Level 18, 101 Grafton Street, Bondi Junction, 2022, Sydney, NSW